The “Heartbleed” vulnerability discovered a few days ago is one of the most serious in the history of the Internet. If it was actually exploited, an estimated two thirds of all internet servers could be read out user passwords in the plaintext. We reported in our Heartbleed message on the distribution and functioning of this gap.
The error is in the program library OpenSSL 1.0.1 to 1.0.1f and allows an attacker to read out 64 kBytes of the server's working memory - which can also be user passwords with high security. Interestingly, the bug is not new and had been in a bug report of the Opensource developers two years ago dived - and was obviously not recognized in its severity. Detailed information is available on the heartbleed.com page.
The question of whether the gap was actually exploited before its current acquaintance, however, can currently no one answer. A public exploit (program that uses this gap) has not existed before. Our awareness, raised by the various surveillance scandals, is understandably unjustified in the innocence of those involved.
Lesetipp: The 25 worst passwords
Since the problem is source-oriented software, the program author is also easily identifiable. It is the American programmer Robin S., who is now exposed to numerous hostility in the network - up to the suspicion of deliberately installing a backdoor. However, it is impossible to prove the difference between the intention and an error in such a bug, especially since it is a frequent and trivial error. The program author has now taken a position. He writes, "I've been working on OpenSSL and submitted a series of bug fixes and new features. I've obviously overlooked a length check in a patch for a new feature."
Lesetipp: Secure passwords - so it's
For the user, the question now arises as to how he reacts to the possibility that all his passwords could be compromised. Security trackers will surely try to change all their passwords, including those of forums, e-shops, etc. However, it seems questionable whether it is sensible to take this effort and the time effort. The few really important passwords should, however, be changed for the sake of security, hoping that the server operators on the other side of the wire have done their homework and have now installed fault-corrected modules.
No comments:
Post a Comment